top of page
perceptive_background_267k.jpg

OpenHarness before commit bd4df81 contains a server-side request forgery vulnerability in the web_fetch and web_search tools that allows attackers to access pri…

Published:

16 April 2026 at 22:00:00

Alert date:

17 April 2026 at 18:01:51

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

OpenHarness before commit bd4df81 contains a server-side request forgery (SSRF) vulnerability in the web_fetch and web_search tools. Attackers can manipulate tool parameters without proper validation to access private and localhost HTTP services. The vulnerability allows attackers to influence agent sessions to invoke tools against loopback, RFC1918, link-local, or other non-public addresses. This enables reading response bodies from local development services, cloud metadata endpoints, admin panels, and other private HTTP services reachable from the victim host.

Technical details

Mitigation steps:

Affected products:

OpenHarness

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-40516
https://github.com/HKUDS/OpenHarness/commit/bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae
https://github.com/HKUDS/OpenHarness/pull/92
https://www.vulncheck.com/advisories/openharness-ssrf-via-web-fetch-and-web-search

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page